Password-confusion-leads-to higher costs and increased security risks
Tue 8 Apr 2014
Knowledge workers have to remember up to 12 unique passwords for their business applications – a total that has doubled in a year – and this is creating both practical and security issues according to a leading consultant.
“It is becoming an issue to remember them – and as users, most people don’t really care about passwords,” said Andrew Hindle, principal consultant on behalf of security provider Ping Identity, during the opening presentation at Cloud Expo Europe’s Security and Governance track.
He further warned that businesses are putting too much reliance on passwords, reducing security and increasing their costs.
“The world used to be simple place from an enterprise IT perspective,” he said. “Everything important was inside the business, and you put a nice big wall around it. If if anyone needed outside access you put very carefully controlled gateways into the firewall.
“But slowly the outside and inside world have blended,” he added. “If you use Salesforce, Gmail, or Success Factors you [already] have large amount of data outside central IT control.”
Hindle pointed out that the boundaries are further blurred because of the growth of personal devices. Whether those devices are bought by the individual, or by IT, they are likely to contain business data, and be used to access business applications.
The result is a situation that, Hindle said, cannot go on. Businesses need to be more open to sharing data with partners, suppliers and even customers. Devices and applications might need to be treated as “users”. And human users “want to use systems in as convenient a way as possible, and you want them to be as secure as possible” he said.
If IT cannot provide both secure and convenient access, users will try to bypass systems, opening up security risks.
Instead, companies should be moving to the “intelligent authentication of people”. There is a financial incentive as well as a security imperative to do this: one US company Hindle mentioned found was paying $1m a year in password resets alone.
To prevent this, companies should move to eliminate passwords, rather than sync or replicate them; and avoid creating new identity silos, he said.